Hi there, The issue was raised on debian-devel[0] that this bug still affects unstable and is causing jenkins to be a candidate for removal from wheezy. I have backported the fixes for these issues from upstream git; they are attached to this e-mail as separate quilt patches for the sake of cleanliness.
I have also uploaded a source NMU package[1] to mentors.debian.net, which I intend to seek sponsorship for if I don't get a reply to this bug report within 72 hours (as the deadline given by the Release Team for removal from testing is 31st January). Please let me know if you need anything further from me. Thanks, Steven. [0] Thread "Candidates for removal from testing (2013-01-24)", which doesn't seem to be in the web archives yet. [1] http://mentors.debian.net/package/jenkins
Description: Cherry-picked fix from 1.480.1 Security issue: - CVE-2012-6073 open redirect Origin: Upstream, commit ab0ac1ac499f734892c2203edc508a6dbf5fa42d Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 --- a/core/src/main/java/hudson/Util.java +++ b/core/src/main/java/hudson/Util.java @@ -1173,6 +1173,31 @@ } /** + * Return true if the systemId denotes an absolute URI . + * + * The same algorithm can be seen in {@link URI}, but + * implementing this by ourselves allow it to be more lenient about + * escaping of URI. + */ + public static boolean isAbsoluteUri(String uri) { + int idx = uri.indexOf(':'); + if (idx<0) return false; // no ':'. can't be absolute + + // #, ?, and / must not be before ':' + return idx<_indexOf(uri, '#') && idx<_indexOf(uri,'?') && idx<_indexOf(uri,'/'); + } + + /** + * Works like {@link String#indexOf(int)} but 'not found' is returned as s.length(), not -1. + * This enables more straight-forward comparison. + */ + private static int _indexOf(String s, char ch) { + int idx = s.indexOf(ch); + if (idx<0) return s.length(); + return idx; + } + + /** * Loads a key/value pair string as {@link Properties} * @since 1.392 */ --- a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java +++ b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java @@ -137,7 +137,7 @@ String pattern = req.getParameter("pattern"); if(pattern==null) pattern = req.getParameter("path"); // compatibility with Hudson<1.129 - if(pattern!=null) { + if(pattern!=null && !Util.isAbsoluteUri(pattern)) {// avoid open redirect rsp.sendRedirect2(pattern); return; } --- a/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java +++ b/core/src/main/java/hudson/security/AuthenticationProcessingFilter2.java @@ -31,6 +31,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import hudson.Util; import org.acegisecurity.AuthenticationException; import org.acegisecurity.ui.webapp.AuthenticationProcessingFilter; @@ -50,6 +51,9 @@ if (targetUrl == null) return getDefaultTargetUrl(); + if (Util.isAbsoluteUri(targetUrl)) + return "."; // avoid open redirect + // URL returned from determineTargetUrl() is resolved against the context path, // whereas the "from" URL is resolved against the top of the website, so adjust this. if(targetUrl.startsWith(request.getContextPath())) --- a/core/src/test/java/hudson/UtilTest.java +++ b/core/src/test/java/hudson/UtilTest.java @@ -230,4 +230,14 @@ } } } + + public void testIsAbsoluteUri() { + assertTrue(Util.isAbsoluteUri("http://foobar/";)); + assertTrue(Util.isAbsoluteUri("mailto:k...@kohsuke.org")); + assertTrue(Util.isAbsoluteUri("d123://test/")); + assertFalse(Util.isAbsoluteUri("foo/bar/abc:def")); + assertFalse(Util.isAbsoluteUri("foo?abc:def")); + assertFalse(Util.isAbsoluteUri("foo#abc:def")); + assertFalse(Util.isAbsoluteUri("foo/bar")); + } }
Description: Cherry-picked fix from 1.480.1 Security issue: - CVE-2012-6074 cross-site scripting vulnerability Origin: Upstream, commit 1d48e7bf8254349a19328d56bd8006635a95866d Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 --- a/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly +++ b/core/src/main/resources/hudson/widgets/HistoryWidget/entry.jelly @@ -68,7 +68,7 @@ <tr class="${transitive}"> <td></td> <td colspan="2" class="desc"> - <j:out value="${build.truncatedDescription}"/> + <j:out value="${app.markupFormatter.translate(build.truncatedDescription)}"/> </td> </tr> </j:if>
signature.asc
Description: PGP signature
